Description
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.15.6
- Patched version(s): 5.15.8
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - CVE-2025-68113
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025